Security & Trust

Diligence data deserves
diligence-grade security.

Zoe handles some of the most sensitive data a company has — org charts, decision flows, internal communication patterns. Here’s exactly how we protect it.

Request security docs See the methodology

Six Pillars

How we protect diligence data.

The six security pillars that govern how Zoe collects, processes, and stores every byte of customer data.

Pillar 01

Encryption everywhere

All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Keys are managed in dedicated KMS instances with automated rotation. No exceptions.

Pillar 02

Least-privilege access

Role-based access controls with SSO and full audit logs. Diligence data is scoped per engagement and expires on a fixed schedule. No standing access.

Pillar 03

Isolated tenancy

Each engagement runs in its own workspace with dedicated encryption keys. No cross-tenant data sharing, ever. Isolation is enforced at the storage layer, not in code.

Pillar 04

Minimal data collection

Zoe collects only the metadata required to compute the diagnostic. We never read message bodies, code, documents, or financial line items. Source data can be purged immediately on request.

Pillar 05

Compliance posture

SOC 2 Type II audit in progress. GDPR-aligned data handling. NDA and DPA available on request. HIPAA-aware architecture for healthcare engagements.

Pillar 06

Responsible disclosure

Found a vulnerability? Email security@zoediagnostics.com. We respond within 24 hours and credit researchers in our public hall of fame.

Data Flow

Source data in.
Scores out.

Raw metadata enters an isolated processing workspace, gets transformed into anonymized signal, contributes to the nine-dimension scoring engine, then is discarded.

Only the resulting scores, findings, and aggregated patterns persist after the report ships. The raw data never survives the engagement. This isn’t a policy — it’s how the system is built.

Engagement Data Flow

Source data

Calendar, comms, finance, HR — metadata only

Isolated processing

Per-engagement workspace, dedicated encryption key

Discard raw data

Source data purged after scoring completes

Persist only scores

Findings + aggregated patterns retained inside scoped workspace

Compliance

Where we are with each framework.

Honest status, not marketing-speak. We’re building toward enterprise compliance and we’ll tell you exactly where each piece stands.

SOC 2 Type II

In progress

Audit underway with a Big-4 firm. Report expected H2 2026.

GDPR

Aligned

EU-aligned data handling, right to erasure, DPAs available on request.

CCPA

Aligned

California-aligned data subject rights and deletion workflows.

HIPAA

Aware

Architecture supports BAA on request for healthcare-adjacent engagements.

Need More Detail?

Request our security questionnaire.

Same-day delivery of our full security questionnaire, NDA, and DPA. We’ve been through enterprise procurement before.

Join 200+ firms on the waitlist

Diligence data deservesdiligence-grade security.